The Financial Industry Regulatory Authority (FINRA) recently released the results of its exam program to assess compliance with securities rules and regulations. FINRA conducts cyclical examinations of broker-dealer firms: each firm undergoes an examination at least once every four years. A report of the results is only available to the particular firm. Compliance issues identified in the report must be remediated by the firm. For the first time, on December 6, 2017, FINRA released a report on its findings from recent examinations, which can be read here (the “Report”). It contains selected observations for the purpose of highlighting issues that frequently occur or due to their broad impact on investors and markets. Firms may use the Report as a resource to strengthen and tailor their existing compliance and supervisory programs. FINRA clarifies that the Report “should not be read as creating a new legal or regulatory requirements or new interpretations of existing exam requirements.” The Report highlights a total of 11 topics, the last five of which are “operational deficiencies” that “have challenged some firms’ ability to meet their compliance obligations.”
FINRA called cybersecurity threats one of the principal operational risks facing broker-dealers, and identified several areas where cybersecurity programs can be improved. These areas include managing access to firms’ systems (for example, terminating departing employee’s access); developing processes to conduct ongoing risk assessment of data, systems and applications; branch office difficulties in managing passwords; updating software including anti-virus software; and strengthening data loss prevention tools such as broadening rules that prevent the transmission of Social Security numbers to include other sensitive date such as account numbers.
We note that cybersecurity compliance will be an exam priority in 2018 by the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC).
Outside Business Activities (OBAs) and Private Securities Transactions (PSTs)
Registered persons, other associated persons or firms of retail brokerage firms of all sizes failed to meet one or more of the OBA and PST obligations set forth in FINRA Rules 3270 and 3280. FINRA observed problems including the failure to notify their firms of proposed OBAs or PSTs (or the failure to provide such notice in writing), and insufficient information about the OBA or PST for the firm to make a determination; weaknesses in the firm’s review of OBAs and PSTs due to inadequate written supervisory procedures for such review or the failure to have such procedures; and the supervision of PSTs after their approval. This finding is especially noteworthy given the popularity of hybrid models involving an outside, or independent registered investment adviser maintained by a registered representative of the broker-dealer firm.
Anti-Money Laundering (AML) Compliance Program
FINRA Rule 3310 requires members to develop and implement a written AML compliance program reasonably designed to comply with the requirements of the Bank Secrecy Act (BSA), the purpose of which is to detect and cause the reporting of suspicious activity. FINRA observed instances where firms failed to establish and implement AML procedures; issues arising from the delegation of AML monitoring responsibilities, including inadequate escalation of potential suspicious activity, not clearly defining the responsibilities being delegated, and insufficient training for non-AML staff; and, data feed gaps and problems which weaken the monitoring system.
AML was an OCIE exam priority in 2017. Broker-dealers registered with the SEC are deemed to be “financial institutions” for BSA purposes and should be aware that the SEC recently made it clear – by way of a lawsuit it filed in June of this year (SEC v. Alpine Securities Corp.) — that AML is an enforcement priority as well.
FINRA identified issues with regard to suitability that occurred more frequently with certain product classes, specifically, unit investment trusts (UITs) and multi-share class and complex products such as leveraged and inverse exchange-traded funds (ETFs). It also observed that some firms failed to provide adequate training with respect to suitability issues, especially with these products.
In general, FINRA Rule 5310 requires that a member and associated persons use reasonable diligence to ascertain the best market for the security in question, and buy or sell in such market so that the resulting price to the customer is as favorable as possible. FINRA identified concerns with respect to best execution in equities, options and fixed income securitizes, and found that some firms failed to implement and conduct an adequate and regular review of the quality of the execution of customer orders. Firms failed to compare the quality of the execution against the quality of executions obtained via their order routing and execution arrangements against the quality of the executions they could have obtained from competing markets, failed to conduct reviews of certain types or orders, and failed to consider certain factors set forth in FINRA Rule 5310 when conducting a review, such as speed of execution, price improvement and the likelihood of execution.
Market Access Controls
The SEC’s “Market Access Rule” requires brokers dealers with market access or that provide market access to customers to appropriately control the associated risks so as not to jeopardize their own financial condition or that of other market participants, the integrity of trading on the securities markets, and the stability of the financial system. FINRA identified problems in this area which include the failure to establish pre-trade financial thresholds (or to undertake due diligence to substantiate those thresholds), failure to implement and monitor aggregate capital or credit exposures, and inappropriately tailoring erroneous trade controls.
Alternative Investments Held in IRAs
Firms that carry customers’ alternative investment assets held in IRAs failed to apply the requirements of financial and operational rules applicable to alternative investments including the failure to establish possession or control as required by Securities and Exchange Act (“SEA”) Rule 15c3-3, incorrect account statements that did not reflect the firm’s custody of the assets, and the preparation of inaccurate net capital and reserve formula computations as required by SEC rules with respect to alternative investment assets the firm carried.
Net Capital and Credit Risk Assessments
In trying to comply with SEA Rule 15c3-1, some firms had problems assessing the creditworthiness of non-convertible debt or money market instruments they held in their inventory for client facilitation or other purposes. The issues arose in six areas: inadequate policies and procedures, inappropriate use of thresholds for conducting assessments to determine if securities have minimal credit risk, misapplication of SEC no-action letters, failure to apply proper charges for open contract commitments, improper use of indices as benchmarks for credit risk assessments, and inappropriate use of internal and external credit risk assessments.
Firms, regardless of size, that engage in an equities business, at times failed to comply with the requirement to enter the correct capacity code (e.g., agency, principal, riskless-principal) when reporting an off-exchange trade to a FINRA equity trade reporting facility. These errors reflected some firms’ misunderstanding of the distinctions between agency and riskless principal transactions.
FINRA observes instances of firms having trouble meeting certain responsibilities under Regulation SHO and relevant FINRA rules. The problem areas include over-reliance upon a third-party order management system and inadequate level of supervision of the third-party order management system, missing trading records from the third-party order management systems, deficiencies in firms’ locate practices, and failure to maintain adequate written supervisory procedures for complying with Rule 204 of Regulation SHO regarding closeouts of fails to deliver.
FINRA observed that some firms that engaged in institutional sales of fixed-income securities frequently did not comply with certain TRACE reporting requirements such as failing to report transaction in certain TRACE-eligible securities, reporting transactions to TRACE in an untimely manner, and the failure to establish and maintain a supervisory system designed to achieve TRACE compliance.
The Report did not identify substantially new or different areas of concern; if anything, it reiterates observations and findings about compliance and operational topics already identified in the broker dealer community. The fact that the same issues continue to be noted, signifies a failure of the brokerage industry to fully and satisfactorily address them as of this date, and that FINRA remains ever vigilant in monitoring these compliance and operational “failures.”
Member firms, in the current environment where FINRA, SEC and other regulators such as the U.S. Department of Labor and state agencies are rethinking standards, practices and enforcement, should be very focused on serious and critical self-assessment to identify problems and remediate with the appropriate supervision, training and implementation of policies and procedures.